Re: Unix Application,

[Claudio Broglia <xeon () sysroot eu>]

Quoting IRM <irm () iinet net au>:

> Dear all,
>
> On my recent pen test, I have seen on Unix Apps (written in C) relies on
> UNIX authentication (/etc/passwd and /etc/group) to determine which
> functionalities the user can access to.
> 1) My first question would be what is the rationale of having such
> design? Obviously the authentication design is open to not only the
> application users but to the operating system users.

Yes, application's users would also access system shell. But the idea  
of having users managed by system, instead of a separate database, is  
that you can share them across multiple applications, managing  
centrally rights and permissions, or make them access other services  
(mail, ftp, etc.).
I don't like this very much, but depending on the situation it could  
be the "right way to do it".

> 2) I know on some Unix/Linux flavors, the system could enforce the user
> to change their password every X days. If I am not wrong this setting
> can be set through "/etc/shadow" but what if the user never accesses
> their Shell?
> Would it still enforce the user to change their password?
> (say on /etc/passwd;  username .......: :::::: /bin/apps - instead of
> /bin/sh) - so when the user is actually connect to the terminal, its
> automatically run the application and not a shell - if I am not wrong
> .Profile is run after /bin/sh is called?
>
> Cheers,
> John,

Well, if the application checking for what groups the user belong to  
don't make the user validate, so doesn't check for account  
enabled/disabled/expired password/whatsoever, this setting would be  
obviously ignored.

bye
xeon

Attachment: _bin
Description: PGP Digital Signature